Description

Launch a dedicated logging server that serves as a central logging destination for servers in a deployment. It can also be used to integrate with other 3rd party logging providers.

Technical Overview

Software Application Versions

Rsyslog 5.8

Authentication

Use the SSL Certificate input to establish secure encrypted connections (using Stunnel) between the rsyslog server and its clients by using the SSL certificate and key for authentication purposes. By default, the input is set to use a credential called LOGGING_SSL_CRED. Therefore, you should create a credential called LOGGING_SSL_CRED that contains both the SSL certificate and key.

Security and Firewall Permissions

By default, log data is sent to the logging server using the UDP protocol (Logging Protocol) on port 514. If you are launching the rsyslog server in a cloud that uses security groups (i.e. Amazon EC2), you must create a security group with UDP port 514 open so that the rsyslog server can collect log data from each client server.

RELP Support for Log Data Delivery

Rsyslog includes support for the reliable event logging protocol (RELP), which guarantees delivery of event logging messages. When a connection is lost, you cannot reliably detect whether or not the last messages sent actually reached their destination. Unlike the syslog protocol, RELP works with a backchannel, over which information about received messages is conveyed back to the sender. This enables RELP to know which messages have been properly received when a connection has been lost.

Log Example

Log data for all rsyslog client servers is saved locally on the rsyslog server in /var/log/messages with the client's private IP address (if available) as a prefix for identification purposes. (e.g. ip-10-244-165-15) See example output below.

Log Data Backups

The ServerTemplate does not have built-in support for storing log data on volumes. It also does not contain any scripts that support backups of the log files. All log entries are stored locally on the rsyslog server's ephemeral drive and will be lost when the server is terminated. Therefore, you should only use his ServerTemplate for development and testing purposes only. If log data must persist after the logging server is terminated, you should consider using a third-party logging service or application such as Loggly or Splunk.